Lucene search

MitreCVE-2011-4749

HistoryDec 16, 2011 - 11:55 a.m.

CVE-2011-4749

2011-12-1611:55:10

CWE-255

mitre

web.nvd.nist.gov

cve-2011-4749

parallels plesk panel

billing system

authentication bypass

remote attackers

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

AI Score

7.3

Confidence

Low

EPSS

0.005

Percentile

77.4%

JSON

The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms on certain pages under admin/index.php/default.

Affected configurations

Nvd

Node

parallelsparallels_plesk_panelMatch10.3.1_build1013110726.09

AND

redhatenterprise_linuxMatch6.0

VendorProductVersionCPE
parallelsparallels_plesk_panel10.3.1_build1013110726.09cpe:2.3:a:parallels:parallels_plesk_panel:10.3.1_build1013110726.09:*:*:*:*:*:*:*
redhatenterprise_linux6.0cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
parallels	parallels_plesk_panel	10.3.1_build1013110726.09	cpe:2.3:a:parallels:parallels_plesk_panel:10.3.1_build1013110726.09:::::::*
redhat	enterprise_linux	6.0	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*

References

xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html

exchange.xforce.ibmcloud.com/vulnerabilities/72260

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

AI Score

7.3

Confidence

Low

EPSS

0.005

Percentile

77.4%

JSON

Related for CVE-2011-4749